💼 This rule is enabled in the following configs: strict-gjs, strict-gts.
Disallows usage of triple curly brackets (unescaped output) in templates.
Triple curly brackets ({{{ }}}) render unescaped HTML, which can lead to XSS (Cross-Site Scripting) vulnerabilities if user input is not properly sanitized.
This rule disallows the use of triple curly brackets for unescaped output. If you need to render HTML, use the htmlSafe helper or SafeString API with proper sanitization.
Examples of incorrect code for this rule:
<template>
{{{this.content}}}
</template><template>
<div>
{{{@htmlContent}}}
</div>
</template>Examples of correct code for this rule:
<template>
{{this.content}}
</template><template>
{{htmlSafe this.sanitizedContent}}
</template><template>
<div>{{@text}}</div>
</template>If you are certain that the content being rendered is already sanitized and safe, you may disable this rule. However, this is generally discouraged for security reasons.
- no-html-safe from eslint-plugin-ember